Cyber Threat Actor: APT34
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
5 incidents |
|---|
Profile
APT34, also known as OilRig and Helix Kitten, is an Iranian state‑sponsored threat actor that has been publicly linked to operations originating from Iran. The group’s aliases appear in multiple security reports and in a 2019 data leak that exposed internal APT34 infrastructure, confirming its association with Iran’s Ministry of Intelligence. According to the provided sources, the actor conducts activities that serve both espionage and disruptive objectives, focusing on private sector entities as well as governmental targets in the Middle East and beyond.
The actor’s typical targeting includes energy companies, aviation infrastructure, assistive technology firms, and government offices across countries such as Bahrain, Israel, Italy, Turkey, Saudi Arabia, the United States and various European nations. Strategic objectives observed in the incidents are the theft of digital certificates to enable covert surveillance and the deployment of data‑wiping malware to disrupt operations. These objectives are explicitly described in the Forbes article detailing the theft of AI Squared certificates for use in Helminth malware campaigns and in the ZDNet report on the Dustman wiper used against Bahrain’s national oil company.
Notable themes in the actor’s tactics, techniques and procedures involve the use of custom backdoors such as Poison Frog and Glimpse, the employment of the EldoS RawDisk component for destructive actions, and the reliance on spear‑phishing with malicious Excel files or fake job‑offer websites to gain initial access. The actor has also been observed exploiting VPN vulnerabilities, escalating privileges via domain controllers, and distributing malware through internal networks using SMB. Tooling includes the Helminth surveillance kit, the Dustman and ZeroCleare wiper families, and occasional use of open‑source remote access tools like PupyRAT. Publicly reported operations that illustrate these patterns include the December 2019 Dustman attack on Bapco, the 2016 certificate theft from AI Squared followed by Helminth distribution via phishing, and the March 2019 leak of internal APT34 tools and member data through a Telegram channel by Lab Dookhtegan. These examples demonstrate the actor’s focus on stealthy espionage, occasional disruptive wiper deployments, and the continual evolution of its toolset.
